Log In

Espionage hackers traced to Shanghai building

Hacker group just one of 25.

An explosive security report has pinned the majority of China-based attacks against the US to an army of hackers working for the People's Liberation Army out of a nondescript building on the outskirts of Shanghai.

The report, by security firm Mandiant, claims P.L.A Unit 61398 operates out of the complex and is responsible for a deluge of hacking traffic originating in and around it.

Members of an infamous group known in most instances as Comment Crew or Shanghai Group were allegedly tracked to the P.L.A unit and the building.

The extensive 60-page research document (pdf) was compiled from years of forensic work with large US corporations which have lost crucial data to allegedly China-based hackers.

It said public accounts of data breaches against US security firms, critical infrastructure, and industrial control system and SCADA operators to a persistent and government-backed hacking outfit operating out of the white Shanghai apartment block.

"While we have certainly seen the group target some industries more heavily than others, our observations confirm that APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan."

Mandiant researchers correlated data IP addresses, toolsets and social engineering information to pin the attacks to the hacking group.

Beijing denied the accusations to the New York Times, and reiterated its affirmation that it is not involved in hacking which it considers illegal.

"APT1 has a well-defined attack methodology, honed over years and designed to steal massive quantities of intellectual property. They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China – before beginning the cycle again," the report stated.

"They employ good English — with acceptable slang — in their socially engineered emails. They have evolved their digital weapons for more than seven years, resulting in continual upgrades as part of their own software release cycle. Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships."

APT1 typically established a foothold in organisations via a well-written spear phishing attempt containing malicious pdf files within a compressed zip. It also used custom backdoors, thought to be previously unknown, of which 42 families were detailed by Mandiant.

"We usually detect multiple families of APT1 backdoors scattered around a victim network when APT1 has been present for more than a few weeks," the report said.

The group's average infiltration lasted 356 days, with the longest stretching to four years and 10 months. The most amount of data stolen from a single organisation was 6.5 terabytes, extracted over 10 months.

Once the attackers compromised a network they were difficult to detect, the report said, because they connected to shared resources and could execute commands on other systems using Microsoft's psexec tool or Windows Task Scheduler.

"These actions are hard to detect because legitimate system administrators also use these techniques to perform actions around the network."

Has large-scale infrastructure and facilities in the Pudong New Area of Shanghai

Was the beneficiary of special fibre optic communication infrastructure provided by state-owned enterprise China Telecom in the name of national defence.

Australia

While Australian organisations were not among APT1's victims, a former defence contractor security professional with access to similar data to the report said government agencies here have been targeted.

The researcher spoke to SC on the condition of anonymity. He said his former company, like Mandiant, had chased hacking groups some of which had stolen information from the World Bank.

He warned that China is heavily involved in state-sponsored hacking against other nations, and has successfully raided Australian organisations and government agencies.

"The reason [Australia is] attacked is because you have something China wants," he said.

"China is on a Pacific Rim buying spree and needs a lot of natural resources and I don't think your country really knows how to strategise and approach China vis-a-vis its relationship with the United States."

He said US organisations including defence contractors were more focused on protecting US assets at the expense of Australian sites.

Comment Crew was the fifth most dangerous hacking group out of a list of 25. The more deadly groups conducted an initial compromise of corporate systems before Comment Crew was sent in to remain embedded in victim networks for ensuing months and years.

"There is another one in Shanghai that has more technologically sophisticated backdoors and better TTPs (Tactics, Techniques, and Procedures) than Comment Crew," the researcher said.

"Comment Crew has more malware but they get caught a lot so there is more intelligence on them," he said.

The group behind the recent attack on the New York Times was one such outfit, he said. The Times confirmed Comment Crew was not behind the attacks which targeted journalists over four months.

"There are some groups that will come as a smash-and-grab and steal everything and the kitchen sink, then Comment Crew will be sent in to mine email every week for ongoing monitoring. They have typically been associated with time-sensitive targeting, like corporate negotiations."

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.